Security Vulnerability in Remote Cache Extensions for Build Systems by Major Cloud Vendors
CVE-2025-36852

9.4CRITICAL

Key Information:

Vendor: Niklas Portmann
Status: Azure Based Remote Cache Plugin For Nx; Minio Based Remote Cache Plugin For Nx; Nx Remote Cache Utilities; Aws S3 Remote Cache Plugin For Nx
Vendor: CVE Published:; 10 June 2025

🔔 Create Niklas Portmann Vulnerability Alert

What is CVE-2025-36852?

A significant security vulnerability exists in remote cache extensions utilized by common build systems. This flaw enables contributors with pull request privileges to inject compromised artifacts from untrusted environments into trusted production settings undetected. The issue arises from a failing in the 'first-to-cache wins' design principle, which allows malicious artifacts built in untrusted environments—like feature branches or pull requests—to poison the cache utilized by secure environments. This vulnerable process completely sidesteps established security measures, such as encryption, access controls, and checksum validations, as the cache poisoning occurs during the artifact construction phase, prior to the implementation of any protective measures.

Affected Version(s)

AWS S3 Remote Cache Plugin for Nx 0

Azure Based Remote Cache Plugin for Nx 0

Azure Blob Remote Cache Plugin for Nx 0

References

https://nx.app/files/cve-2025-06

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2025
Vulnerability Reserved
Apr 15, 2025